Baibhav Anand Jha 
Page Owners Can’t remove or change page roles of deactivated users (or if Attacker blocks the page owner) in Facebook Lite, Facebook for Android and touch.facebook.com
April 22 | 2 Minutes Read
Description
If the attacker deactivates his account or blocks the Page Owner, Page Owner will not be able to remove or change the attacker’s page role in Facebook Lite, Facebook for Android and touch.facebook.com.
Impact
Attacker can gain consistent access to the page.
Setup
Users:
UserOne
UserTwo
Environment:
PageOne with Owner UserOne and admins UserOne and UserTwo.
Steps of Reproduction
- As UserOne, Create a Page, PageOne
- Add UserTwo as the admin of PageOne
- UserTwo deactivates his account or blocks UserOne
- UserOne will now not be able to remove UserTwo’s page role or change his page role in Facebook Lite, Facebook for Android and touch.facebook.com
FBDL
[setup]
User UserOne
User UserTwo
Page PageH with {owner: UserOne, admins: [UserTwo]}
[action]
UserTwo deactivate_account UserTwo
Timeline:
- Reported
- Sunday, December 20, 2020
- Pre-Triaged
- Wednesday, December 23, 2020 at 4:35 AM
- Triaged
- Friday, December 25, 2020 at 10:32 AM
- Fixed
- Monday, March 1, 2021 at 11:21 PM
- Bounty Awarded. ($525) - including bonus
- Thursday, April 22, 2021 at 10:51 PM